---
layout: docs
page_title: 'Commands: TLS CA Create'
sidebar_title: ca
---

# Consul TLS CA Create

Command: `consul tls ca create`

This command create a self signed CA to be used for Consul TLS setup.

## Example

Create CA:

```shell-session
$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem
```

## Usage

Usage: `consul tls ca create [filename-prefix] [options]`

#### TLS CA Create Options

- `-additional-name-constraint=<value>` - Add name constraints for the CA.
  Results in rejecting certificates for other DNS than specified. Can be used
  multiple times. Only used in combination with `-name-constraint`.

- `-days=<int>` - Provide number of days the CA is valid for from now on, defaults to 5 years.

- `-domain=<string>` - Domain of consul cluster. Only used in combination with
  `-name-constraint`. Defaults to `consul`.

- `-name-constraint` - Add name constraints for the CA. Results in rejecting
  certificates for other DNS than specified. If turned on localhost and -domain
  will be added to the allowed DNS. If the UI is going to be served over HTTPS
  its DNS has to be added with `-additional-constraint`. It is not possible to
  add that after the fact! Defaults to false.
